Generating Pre-signed URIs with Azure Blob Storage

It is common to have files stored in Azure Blob storage, but we occasionally need to allow others to access those files. Sometimes we need to allow someone to upload a file; other times, we need to allow someone to download a file. Either way, we usually only want to allow partial control of the Blob files.

We can implement these restrictions by creating URIs with SAS tokens. SAS tokens are shared access signatures allowing access to a URL for a given time. We often set these shared access signatures to expire after a short window, maybe allowing them to work for an hour or something similar.

How do you do this? It is pretty straightforward. You first must create an instance of BlobSasBuilder. You must implement a lot of the rules around this access using properties of this class. Rules such as expiration time and the permissions allowed. In the example below, we only allow Read access and expire access in one hour.

The next step is pretty simple. We have to create a BlobClient that points to the particular resource. Then we use the BlobClient and the BlobSasBuilder to generate our SAS URI.

A more advanced example (below) generates SAS URIs for all files within a given directory.

This is a common pattern in enterprise software. Hopefully, this post will make this feature easier to implement on your projects.